Link to challenge: https://academy.hacking-lab.com
Date Completed: 11 December 2019
Challenge
HV19.10 Guess what
1 2 |
Introduction The flag is right, of course |
Resources: HV19.10-guess3.zip
Solution
We are provided with an ELF binary so the first thing we do is run in in a Linux virtual machine.
The binary prompts us for some input and then tells us we have failed!
Example with input of test:
1 2 3 |
mo@ubuntu:~/Hackvent$ ./guess3 Your input: test nooooh. try harder! |
We look at the strings in the binary for some clues:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
mo@ubuntu:~/Hackvent$ strings ./guess3 /lib64/ld-linux-x86-64.so.2 &J5g libc.so.6 exit sprintf __isoc99_sscanf time __stack_chk_fail getpid strdup calloc strlen memset __errno_location memcmp putenv memcpy malloc getenv stderr execvp fwrite fprintf __cxa_finalize atoll strerror __libc_start_main __environ __xstat GLIBC_2.7 GLIBC_2.14 GLIBC_2.4 GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable ATSH [A\] AWAVI AUATL []A\A]A^A_ x%lx =%lu %d %lu %d%c E: neither argv[0] nor $_ works. <null> %s%s%s: %s ;*3$" 1DB/ WF9s @?H, 4'M0 \@J5 o-72z GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0 .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .data .bss .comment |
We observe how the string Your input and nooooh. try harder! don’t appear as strings.
It is reasonable to assume obfuscation is used at this point to conceal some strings.
We decide to load up the program in one shell and, while its open waiting for input, check the process status output in another shell:
1 2 3 |
mo@ubuntu:~/Desktop$ ps -eaf | grep guess mo 2500 2297 0 20:11 pts/0 00:00:00 ./guess3 -c #!/bin/bash read -p "Your input: " input if [ $input = "HV19{Sh3ll_0bfuscat10n_1s_fut1l3}" ] then echo "success" else echo "nooooh. try harder!" fi ./guess3 mo 2502 2263 0 20:11 pts/2 00:00:00 grep --color=auto guess |
The original binary essentially delegates to calling execve on /bin/bash with the above command but we abuse the fact that it is all in memory to easily fetch our flag!
Flag: HV19{Sh3ll_0bfuscat10n_1s_fut1l3}